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Method And Apparatus For Generating A Cryptographic Key 

■ . ■ , - . , 

. ' .1 ■ 

Field of the Invention j 

The present invention relates to a method and apparatus for generating a cryptographic 
5 key. 

Background of the Invention j 

An important feature associated with cryptography is the provision of a trusted 
authority, where a trusted authority is responsible for issuing priyate and public keys 

10 to appropriate individuals/entities. However, as a private key, is Vpy its nature, private 
to a specific individual/entity it is essential that a user can trust that the trusted 
authority will not disclose or otherwise use the user's private key in an inappropriate 
manner- However, it can be difficult for a user to build a strong trust relationship with 
a single trusted authority. i : 

15 !■ .. 

One solution to this problem has involved the use of a plurality 6f trusted authorities 
to generate individual parts of a private key, where no one trusted] authority has access 
to the complete private key. In particular, one solution involves! the use of a shared 
secret in which a group of trusted authorities use the shared seciret to generate their 

20 portion of the private key. However, this solution requires the use of a trusted secret 
distributor. j. 

- i 

Another solution involves each trusted authority providing a portion of a private key 
based upon the identity of the user where the identity of the user lis the same for each 
25 trusted authority. However, in many applications a user may have different identities 
when dealing with the different trusted authorities. j .. 



It is desirable to improve this situation. 




Embodiments of the present invention to be described hereinafter make use of 
cryptographic techniques using bilinear mappings. Accordingly, a brief description 
/ : will now bp given of certain such prior art techniques. 
, [ In the present specification, G\ and Gz denote two algebraic groups of prime order q in 
5 which the iiscrete logarithm problem is believed to be hard and for which there exists 
l a computa >Je bilinear map p r for example, a Tate pairing t or Weil pairing e. Thus, for 
; the Weil p airing: 
. "i . e: G\ % G\ > Gz 
: where G~> is a subgroup of a multiplicative group of a finite field. The Tate pairing can 
10 1 be similarly expressed though it is possible for it to be of asymmetric form: 
t: G\ x Go Gi 

i where Go : s a further algebraic group the elements of which are not restricted to being 
of order q Generally, the elements of the groups Go and.Gi are points on an elliptic 
curve though this is not necessarily the case. For convenience, the examples given 
15 below assume the elements of Go and G\ to be points on an elliptic curve and use a 

symmetric bilinear map (p; G\ x G\ > G 2 ); however, these particularities, are not 

to be take? 1 as limitations on the scope of the present invention. 



25 



Veriai 



As is well] known to persons skilled. in the art, for cryptographic purposes, a modified 
20 j form of thle Weil pairing is used that ensure p (P-P) ?*1 where P e G } ; however, for 
convenience, the pairing is referred to below simply by its usual name without labeling 
it as modified. Further background regarding Weil and Tate pairings and their 
cryptographic uses can be found in the following references: 
- G. Frcy, M. Muller, and H. Ruck. The Tate pairing and the discrete logarithm 
applied to elliptic curve cryptosystems. IEEE Transactions on Information Theory, 
[717-1719, 1999. 

D. Boaeh and M- Franklin. Identity based encryption from the Weil pairing. In 
Advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229, Springer- 
2001. 
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For convenience, the examples given below assume the use of a symmetric bilinear 
map (p: G\ x G\ • > <j 2 ) with the elements of Gi being points on an elliptic curve; 
however, these particularities, are not to be taken as limitations on the scope of the 
present invention. 

As the mapping between G\ and G% is bilinear exponents/multipliers can be moved 
around. For example if a ? b ? c e F^ and P, Q € G\ then 

t{dP, bQf = t(aP, cQf - t(bP, cQf = t(bP, aQf - t(cP f aQ) h = t{cP, bQ) a 
: * i(abP, Qf = t{abP f cQ) = t{P. abO) c - t{cP f abQ) 



: t(abcP, Q) = t(P, abcQ) r t(P, Q) 



abc 



Additionally, tbe following cryptographic hash functions are defined: 

' 7//: {0,1}* >G X ; 

,15 ' - H 2 : {0A}* > F, - ; 

. . Hs:G 2 ^^{Q r l}* ; 

A normal public/private key pair can be defined for a trusted authority: 

the private key is s where s e F q 1 \' 

20 the public key is (P, R) where P e Gi and R e GI, withR^sP 

Additionally, an identifier based public key / private key pair can be defined for a 
party with the cooperation of the trusted authority. As is well known to persons skilled 
in the art, in "identifier-based" cryptographic methods a public, cryptographically 

25 unconstrained, string is used in conjunction with public data of a trusted authority to 
carry out tasks such as data encryption or signing. The complementary tasks, such as 
decryption and signature verification, require the involvement of the trusted authority 
to carry out computation based on the public string and its own private data. 
Frequently, the string serves to "identify" the intended message recipient and this has 

30 given rise to the use of the label "identifier-based" or 'Identity-based" generally for 
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these cryptographic methods. However, depending ohrthe application to which such a 
cryptographic method is put, .the string may serve a different 'purpose to that of 
• identifying . the intended recipient and, indeed, may be an arbitrary string having no 
other purpose than to form the basis of the cryptographic processes. Accordingly, the 
use of the term "identifier-based" herein in relation to cryptographic methods and 
systems is to be. understood simply as implying that the methods and systems are 
based on the use of a cryptographically unconstrained string whether or not the. string 
serves to identify the intended recipient. Furthermore, as used herein the term "string" 
is simply intended to imply an ordered series of bits whether derived from a character 
string, a serialized image bit map, a (hgitized lound signal, or any other data source. 



: , In the presentJcase, the identifier-based public / private key pair defined for the party 
' ; has a public key Qa> and private key Sm where 2n>, Sm Q\. The trusted authority's 
. normal public/private key 'pair (PJR. / s) is linked with the identifier-based 
15 public/private key by : 

V • S&^sQm and Qm -Hi (ID) 

where ID is the identifier string for the party, j 



Some" typical uses for the above described key pairs will* how be given with reference 
20 , to Figure 1 of the accompanying drawings that depicts a trusted authority 10 with a 
public key (P, sP) and a private key s. A party A serves as a general third party whilst 
for the identifier-based cryptographic tasks 
public key and an IBC private key 



(IBC) described, a party B has an IBC 



25 Standard Signatures (see dashed box 2) : The bolder of the private key s (that is, the 
trusted authority L or anyone to whom the latter has disclosed s) can use s to sign a bit 
string; more particularly, where m denotes a message to be signed, the holder of y 
computes: • ■ . ' - 



Gi and' (h being . bilinear 
is to say,. 



io 



Verification by party A involves this paiiy checking that the following equation is 
satisfied: • 

This is based upon the j mapping between 
exponents/multipliers, as described at ove. That 
t(P 9 V)^t(P,sH x (m)) : 

=f(5P;^(w))j 
.« (m)) : . 

Identifier-Based Encryption (see dashed box 3 > : - Identifier based encryption allows 

of an identifier based key pair (in this,case 3 party B) to 
rypted (bypirty A) using B's public key £> jD . 



the - holder of the private key 
decrypt a message sent to them enc; 



1 5 More particularly, party A, in order to encrypt a( message m, first computes: . 
/ ' " _ v ' C/=rP ■ . ■ ' ■■■ ' 

where r is a random element of ; Next, party |V computes: 
. V=m ® m*QrQ lo y) , 

Party A now has the ciphertext elements U arid V which it sends to party B: 



20 



Decryption of the message by party B is performed by computing: 



25 



- r© 



30 



Tate pairing can be implemented, Fcr example 



Party B first computes: 



H ? (t(rP, s 



Identifier-Based Signatures (see dashed box : > Identifier, based signatures using 



ID. 



.)) 
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where k is a random element of F g . 

.. Party B then apply the hash function H z Xo m\\r (concatenation of m and r) to obtain: 
5 h=-H 2 (m\\r). .... ; ' 

Thereafter party B computes : 

U=(k-h)S m ' . 
thus generating the output U and h as the signature on the message m: 

10 Verification of the signature by party A can be established by computing: 

■■' ' where the signature can only be accepted if h=H 2 (m || r % 

15 Summary of the Invention 

In accordance with a first aspect of the present invention there is provided a computer 
apparatus comprising a processor arranged to generating a cryptographic key using a 
first data set that corresponds, to a first identifier, a second data set that corresponds to 
a first trusted party's; public key, a third! data set that corresponds to a second identifier 
20 and a fourth data set corresponds to a second trusted party's public key. 

The cryptographic key is 7 for example, one of an encryption key, a decryption key, a 
signature key and a verification key, and is preferably generated by applying Tate or 
Weil bilinear mappings to the data sets. 

25 

In accordance with a second aspect of the present invention there is provided a method 
comprising generating a cryptographic key using a first data set that corresponds to a 
first identifier, a second data set that corresponds to a first trusted party's public key, a 
third data set that corresponds to a second identifier and a fourth data set that 
30 corresponds to a second trusted party's public key. 
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In accordance with a third aspect of the present invention there is provided a computer 
system comprising a first computer entity arranged to generate a first data set that 
corresponds to a first trusted party's public key; a second computer entity arranged to 
generate a second data set that corresponds to a second trusted party's public key; and 
a third, computer entity arranged to generate a cryptographic key using a first identifier 
li conjunction with the first data set and a second identifier in conjunction with the 
second data set. 



In accordance with a fourth aspect of the present invention there is provided a method 
10 of generating a cryptographic key wherein a bilinear mapping function is used to 
process multiple data sets each comprising data related to a respective association of 
rusted authority and user identity. 

n one implementation the cryptographic key is an encryption key with each data set 
15 comprising an identity-based public key derived from said user identity, and a public , 
key element of the trusted authority that is based on a secret of the latter. In another 
implementation, the cryptographic key is a decryption key, each data set comprising an 
identity-based private key derived from said user identity and a secret of the trusted 
authority. In a further implementation, the cryptographic key is a signature key, each 
20 data set comprising an identity-based private key derived from said user identity and a 
secret of the trusted authority. In a still further implementation, the cryptographic key 
as a verification key, each data set comprising an identity-based public key derived 
from said user identity, and a public key element of the trusted authority that is based 
on a secret of the latter. 



At least two of the data sets may relate to different user identities and/or different 
trusted authorities. Where multiple trusted authorities are involved, these authorities 
may be associated with different elements to which said bilinear mapping function 
can be applied, each trusted authority having an associated public key formed from its 
associated element and a secret of that trusted authority. 



.8 . . ■ 

' The present invention also encompasses computer program products for implementing 
the foregoing method and apparatus of the invention. ' 

Brief Description of the Drawings 

Embodiments of the invention will now be described, by way of non-limiting 
example, with reference to the accompanying diagrammatic drawings, in which: 
i Figure 1 is a diagram showing prior art cryptographic processes based on elliptic 
10 curve cryptography using Tate pairings; 

. Figure 2 is a diagram illustrating a system with multiple trusted authorities that 

j is used in first, second, third and fourth embodiments of the invention; / 

| and 

. Figure 3 is a table showing, for each of the described embodiments, various 
■ 15 • ' ' j \ cryptographic elements used. 

Bfest Mode of Carrying Out the Invention 

F6nr embodiments of the invention are described below, all of which are based on 
bilinear mappings applied to points on an elliptic curve. The first embodiment uses 

20 Tate pairings for which the notations and definitions given in the introductory portion 
of the present specification also apply. The second, third and fourth embodiments are 
based on Weil pairings and use notations and definitions given in the description of 
those embodiments. It will be appreciated that other suitable pairings can alternatively 
be used and that the generalisations noted above with respect to the cryptographic 

25 usages of bilinear maps also apply to implementation of the present invention. 

For convenience, all four embodiments use the same computer network system that is 
illustrated in Figure 2. More particularly, Figure 2 shows a first computer entity 10, a 
second computer entity 20, a third computer entity 25, a fourth computer entity 3Q, and 
30 a fifth computer entity 40 connected via a network 50, for example the Internet The 
first computer entity 10 represents a first trusted authority 60, for example a company, 
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the second computer entity 20 represents a second trusted authority 70. for example a 
division within the company, and Hie third computer entity 25 represents a third 
' ' ' trusted authority 200 7 for example a bank acting for the company; the second and third 
trusted authorities 70, 200 are thus both second-level trusted authorities with the same 
5 root trusted authority 60. The fourth computer entity 30 represents a user; 80, for 
; ! example a worker within the company. The fifth computer entity 40 represents, for 
example, a business partner 90 of the company that wishes to interact with the user 80/ 

The first, second, third, fourth and fifth computer entities 10, 20, 25, 30, 40 are 
10 conventional program-controlled computing devices though specialised hardware may 
be provided to effect particular cryptographic processes. 

The root trusted authority 60 has a standard public key (fV SoP) I private key ^ 0 key 
pair where 5o is a random secret and P is an element of G\ (as indicated above, the 
1 5 elements of G\ are, for the described embodiments, points on an elliptic curve). The 
• * second-level trusted authorities 70 and 200 have their own respective random secrets 
s\ and 52 and use the same point P as the root authority 60 to form respective standard 
public/private keys pairs: (P 3 s\P)/s) and (P, szP)/^ - 

20 The network 50 could include additional second-level trusted authorities, giving n 
such authorities in total. However, for the purposes of the present embodiment only 
two second-level trusted authorities will be considered. In a more general case, the 
trusted authorities can be totally independent to each other and there is no need for any 
business relationship to exist between the trusted authorities, in fact the trusted 

25 authorities do not need to know each other. For example the trusted authorities may 
not belong to the same root trusted authority. Indeed, one or more of the trusted 
authorities could be a root authority. 



30 



The user 80 has an independent identity associated with each second-level trusted 

authority 70, 200, namely an identity JDi e {0,1}* where i « 1, n with the 

corresponding second-level authority TAr, in the present example, n = 2 with TA1 
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being the authority 70 and TA2 the authority 200 Thus, the user 80 has an identity 
mi; for example the user's name 'Bpb\ with.the trusted authority^ 'and another 
identity ID2, for example the name of the company the user 80 works for, with the 
trusted authority 200. ' .V .. • 

Each independent identity IDz corresponds to apublic key of the user 80. Each second; 
level trusted authority 70, 200 provides the user with a private key corresponding to 
the user's pubhc. key with that authority, 1 this private key being s£m where 5, is the 
secret of the trusted authority concerned and = # i(IP0- 
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As will be described below, to send an encrypted message to the user 80 the business 
partner 90 encrypts the message with a combination of the user's public keys 
• ..- ■ associated with the respective second-level trusted authorities 70, 200 (i.e. the users 
'. . identities associated with the respective trusted authorities) and the respective trusted 
15 authority's public key. To recover the encrypted message, the user 80 decrypts the 
message with the user's corresponding private key. . ' ' -,. . 

To sign a message a user 80 uses its private keys. To verify the signature a verifier 
•• uses a combination of the busted authority's public key with the user's corresponding 
20 public keys. • 



' Fjr<t embodiment: Considering now the details of the first embodiment, mis 
• embodiment uses Tate pairings, hi this embodiment, the public key element' s t P of 
25 each second-level trusted authority is designated Rjm and the user's identity based 
. ; private key i£jp, is designated S, where i = 1, ... « (n being 2 for the Figure 2 
example).- - '• 

To allow the business partner 90 to encrypt a message m e {0 7 l}" for the user 80 
30 based upon the independent identities associated with each second-level trusted 
authority 70, 200 the business partner 90 generates ciphertext ^and U, where: 



V= m®HiH^ i<2 t(R 1A i, rQ lDi ) .''"V,. 
/ and, ... • . 

V^rP: ' \ . \ ■ • , - ; ' ' ' . 

where r is a random number selected by the business partner. 90. In the general case 
5 with the business partner using public keys associated with n trusted authorities, the. 
range of i is from 1 to n (rather than from 1 to 2 as in the example given above). It wilj 
be appreciated that where the number of trusted authorities , in respect of which the ! 
: user 80 has a respective identity and corresponding private key Si is greater than 2, the 
business partner can choose to use the public keys i? TAl7 Q&j associated with a subset 
10 of these trusted authorities when encrypting the message - in other words, there is. no 
requirement to involve all the trusted authorities, but only those considered relevant by 
the business partner. This cari be expressed by introducing w ,- 
: W(fti, b n ) . ' * ; : ".V- :■. . ' ^ \ : ' 

where the '0' or 4 V value of bit i of the string indicates the non-use or use of the 
15 public keys associated with the corresponding trusted authority in encryption of the 
message m. The computation of V can now be generalized to 

* ■ " * ■ 

Decryption is performed by computing: 
20 ' m = V®H 3 t(U, InmobiS.) .. . ' < 

with n being equal to 2 in the present example (and b\~l and 62-I). Accordingly, 
message m can only be decrypted with knowledge of both private keys Si, 

The equivalence of: 

25 jthe encryption element: TLsisitymfQiod* • -^Ehc*) , 

land the decryption element: t(U y Z,m n biSi) ("Dec") 
is readily demonstrated. For example, starting with the encryption element Eric 

30 KrP/LsisnbiStQjoi) ' . 



which is the decryption element Dec. 

5 Second Embodiment - This embodiment uses Weil pairings and allows the business 
partner to send an encrypted message to the user 80. To avoid over-complicating this 
embodiment, it will be assumed that all n trusted authorities that have issued private 
keys to the user 80 are involved so that the use of the string b introduced above in 
respect of the first embodiment can be omitted; however, it is to be understood that a 
10 subset of the n trusted authorities can be used rather than all n authorities. 

: • The elliptic curve E used in this embodiment is defined by y = x* + 1 over i> and the 
point P is an arbitrary point on the elliptic curve where P € EfF p of order q, and p is a 
large (at least 5 1 2-bit s) prime such that p — 2 mod 3 and p = 6q-l for some prime q > 
15 3. This embodiment uses the hash functions: 

* Hi:{0A}*M* P i ■ 

H 2 :_f/-+ {0,l}ffbr.some7; 

: ^:{0J}*^{0,1} ; . 

In this embodiment, the public key element ^P of each second-level trusted authority 
TAi (z .== 1 7 n) is designated P^/,, where s t € Z * q . The user's identity based private 
key s,£>n>/is designated d\& where z = l, ...n(n being 2 for the Figure 2 example). 

25 This embodiment concerns the business partner 90 encrypting a message m g {0,1}* 
for the user 80 using the public keys Q^, Ppubi associated with multiple trusted 
authorities TAi (i = 1, n\ which the user can only decrypt if the user 80 has the 
corresponding private keys dio\ (i > 1, n\ each respectively issued by a trusted 
authority TAi (/ = 1 , ■ » ? n) and corresponding to SiQn* (i ~ I , . . n) where £>iDi e Ef¥ p 

30 of order q. 
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: > To encrypt a message, 77z > the business partner 90: 

; : Computes a MapToPoint (H^(JD\)) = grot (i ~ 1> ... f n) e EfF p of order q. 
-;. Selects a random number <y e {0,1 }*- 
5 Computes r - i^lfo m), where r is a random element that is to be used to 

ensure only someone with the appropriate private key can decrypt the 
..■ . .message, m. ( • / ; . 

Computes U-rP. : , ' , ' 
■ Computes gJp~Tlo ^u^ei^^Ppup^ ^^p ; . 
10 ; Computes V= a ®H 2 (gjr>ry , ; ■ . i . 

'V Computes W= m <&Ht(&). ' { >\ . ' \; 
• ;' • Sets the ciphertext to be C = (U, V, W). 

To decrypt the message, m, the user 80: ; . \ / ' . . ' •• 

15 ' Tests U '<= EfF p of order q; 

: v Computes x = e(Z {] si ^ n) d i0{ , U)\ \ ■ ' 
. ' Computes cr-^e^Cx); . ' r V / . 
Computes /n = ^@H 4 (cO; ' . . . -. 

' \ i. Computes r = J-fcCfJ 
20 : Checks C/-rP. _ : 

Tliird Embodiment - This embodiment uses Weil pairings and allows the user to sign 
a message. To avoid over-complicating this embodiment, it will be assumed that all n 
25 trusted authorities that have issued private keys to the user 80 are involved so that the 
use of the string b introduced above in respect of the first embodiment can be omitted; 
however, it is to be understood that a subset of the n trusted authorities can be used 
rather than all n authorities * \ 



The elliptic curve E used in this embodiment is defined by y == * 3 + 1 over and the 
point Pis an arbitrary point on the elliptic curve where P z EfF p of order q, and p is a. 
large (at least 5 1 2-bits) prime such that p =r 2 mod 3 and p - 6q -1 for some prime q > 
3. This embodiment uses the following two bash functions: 
5 H x :{0,l}*^F p - 

H 2 : {P,l}* x {0,1}*->Z* ? . 

In this embodiment, the public key element SfP of each second-level trusted authority 
TAi (i = 1, n) is designated P^ where 5/ € The user's identity based private 
10 : key SiQiOi is designated dp\ where i = 1, ... n (n being 2 for the Figure 2 example). 

The user signs a message m <= {0,1}* under anuxnber of private keys (i = 1, n), 
r . each respectively issued by a respective trusted authority, i.e. TAi i> n) 
corresponding to a public key Qxos (i = 1, ■ - >, rc)- The business partner 90 verifies the 
15 signature by using both the user's public keys corresponding to the signing private 
keys and the TAi's public keys. 

. To sign a message, m, the user 80: 
Selects a random z € {0,1}*; 
.20 Computes UMzP\ • . 

Computes h - Hz(m, ZJ)\ 
Computes F= h S (1 ^i^dj^ + z S(i <i<n)Ppubt 
Ships to the business partner m, £/ and F. 

25 To verify the signature (m, (7, f 7 ) the business partner 90: 

Computes MapToPoint (#i(n>,)) = Qm^ EfF. F of order q\ ; 

Computes h - Hi{m, U); 

Computes x - e(P, V)\ 

Computes y - U a < { sn) e(P puhiy hQ lD{ + U); 
30 • Checks x ==y. 
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Fourth Embodiment - This embodiment uses Weil pairings and also allows the user to 
sign a message. To avoid over-complicating this embodiment, it will be assumed that 
5 all n trusted authorities that have issued private keys to the user 80 are involved so that . 
the use of the string b introduced above in respect of the first embodiment can be 
omitted; however, it is to be understood that a subset of the n trusted authorities can be 
used rather than all n authorities. 

1 0 The elliptic curve E used in this embodiment is defined by y 2 = x 3 + 1 over Fp and the 
point P is an arbitrary point on the elliptic curve where P e E/F p of order q 9 and /? is a 
large (at least 51 2 T bits) prime such that p =? 2 mod 3 and p = 6q-\ for some prime q > 
3. This embodiment uses the following two hash functions: 

15 , m {o,.i} : *x to,i}*^?V : V 

In this embodiment, the' pubUc key element S{P of each second-level trusted authority 
TAi (r »■■ 1, . . n) is designated Ppubi where S; € Z * q - The user's identity based private 
key s t Qm is designated dm where f == 1 7 ... n (n being 2 for the Figure 2 example). 

20 ' .; ; " • ■ ; * ; " " .. ' ; • 

The user 80 signs a message m € {0,1}* under a number of private keys <ip (i = 1, :... a 
n), each respectively issued by a respective trusted authority i.e. TAi (i = 1, n) 
corresponding to a public key Qoi (z = 1> The business partner 90 verifies the 

signature by using both the user's public keys corresponding to the signing private 

25 keys and the TAfs public keys. 

To sign a message, m, the user 80; 

Selects a random k e {0,1}*; 

Computes e = S(Zq zizn) ^iDi, P)'> ' 
30 Computes r^ef; 



Computes h - H 2 (m, r)\ 
Computes S = (Jc - h) 2 ( i ± s n) ^ 
Ships to the business partner /«; h and & 



5 To verify the signature (m, h, S) the business partner 90: 

Computes MapToPoint (#1 (ID,)) = Q m e £/F p of order q\ 
Computes e' = l\\<!<n)<K.QiD\,Ppubd - may be pre-computed; 
Computes r' - e(S, P)e'\ 
Checks h =f Hiim, r*). 

10 ■ ' " v ■■ ■ . : 

Each of the four above-described embodiments discloses complementary 
cryptographic processes (that is, message encryption / decryption or message signature 
/ verification) • Each of these processes effectively involves the generation of a 
1 5 corresponding cryptographic key, though in the case of the third embodiment, this key 
'_/-: is compound in nature (that is 7 is composed of more than one operative element). 
Figure 3 sets out in tabular form, for each embodiment, the key types involved. 

Each cryptographic key is derived from data concerning at least two associations of 
20 user identity and trusted authority aiid Figure 3 gives for an i such association, the 
elements through which the user-identity data and the trusted authority (I A) data is 

present (the 'Identity element" * column and the "TA element" column respectively); 

in effect, for each assoeation, there is a data set formed by data concerning the user, 
identity and trusted authority involved. 

Also shown in Figure 3 is the session element used in each case, typically based on a 
random number chosen by the message encrypting or signing party. 

Finally, the left-hand column in Figure 3 shows the general form of each key (for 
simplicity, the range of f and the string b have not been included). 



Variants . 

It will be appreciated that many variants are possible to the above described 
embodiments. Thus, it would be possible for each of the trusted authorities TA1 to 
TAn to use a different point P ; that is, the general trusted authority TA/ uses a point P ( 
5 and has a corresponding public key (P, SiPj). Appropriate modifications to the above 
embodiments to take account of this change will be apparent to persons skilled in the 
art Thus, for example, in the first embodiment, for message encryption: 
: _ V-m&Hm,^nt(s i P^rQ^ bt 

10 so that there is now a respective value of U for each trusted authority involved. For 
."■ message decryption: 

Of course, both for embodiments where there is a common P and where there is a 

15. respective P, for each trusted authority TA/ (/ = \ 7 «)> there are likely to be 

applications where it possible for the user to use the same identity with every trusted 
authority and in such cases some simplification becomes possible. Thus, for the first 
embodiment described above where a common P is used by all trusted authorities, if 
the user has the same single identity ID with all autliorities and #i(ID)==£, then 
20 message encryption can be reduced to: 
V^m®H 3 t(l^ l<fl b i s i P t Q) 
U=rP : 
with the decryption expression being the same as given for the first embodiment. If 
there is a different P, for each trusted authority TA/, then encryption becomes 
25 ■ . V=m®Hii(L^nbff if Ql 

Ul = rPi 

with the same decryption expression as given above for the case of the user having a . 
different ID with each trusted authority. Similar modifications will be apparent for the 
second, third and fourth embodiments described above. 

30 
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Conversely, both for embodiments where there is a common P and where there is a 

••. respective P { for each trusted authority TAz (i - 1, w), there are likely to be 

applications where a more complex relationship exists between identities and trusted 
authorities - not only may a user have multiple identities but each identity may be 
5 used with several trusted authorities such that several identities may be used/with the 
same trusted authority. Thus, where there are n trusted authorities TAz (where /=1, 
n) and n identities ID, (where z=l, . v . n; though it may be noted that the value of n 
need not be the same for trusted authorities and identities), there is a set of atomic 
pairs (TA/, ID/, i 7 j - 1, n). Taking the case of P being the same for all trusted 
1 0 authorities; each trusted authority has its own standard public key (P, iJiAi) where Rjai 
- SjP and may provide the user with up to n private keys each based on a respective 
one of the identities of the user; the generalized user private key is thus: 

Sij = SiQjDj where Qmj = #i(ID;) v 

15 A bit string b = (bu > • • , *y> - - , fcm) can be used to define the absence or presence of a 
particular private key. Applying this to modify the first embodiment described above, 
encryption can then be expressed as: 

'<:■ u ~ rP ' ■ T \ i 

20 and decryption becomes: 

m = V®H 3 t(U, YAzijznbijSib ■ ' 

An example application is where Alice and Bob want to open a joint account in a 
.community. They download an application form from the community's web side. 
Within the form, they are asked for information of their employment and address. 

25 They fill the form with the following information: Alice is an employee of company 
X; Bob is an employee of company Y and both of them are living in town Z. The 
community sends them an encrypted document giving them community membership. 
Alice and Bob have to work together to decrypt this document and thereby effectively 
form a single recipient user. The community chooses "Alice of Z* and 'Bob of Z' as 

30 their IDs respectively; and chooses company X 5 company Y and the local authority for 
town Z as trusted authorities. In this application. 
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0, = //i(AIice of Z), and Q 2 = #i(Bob of Z), 
Rta\ Jx^ 0 . ^ta2 = syP, and iJ TA 3 = szP, 
Sn=s x Q\, S 2 2 = syQ 2> S^^szQi, andS3 2 =s z Q2, 
b\i. b-n, bn, t>i2 -}, bn, &21 = 0, 
5 Document encryption was by. 

' , V=m®H 3 Jh sisiysjszKRiAi, rQTDi) b, 

v-rP •■ 

and decryption becomes: 

10 ; •' <• : '- ' ■ • .■■ . 

In the ease where there is a respective P, for each trusted authority TAi (/ = 1, n) 

and the user has private keys S,j, the encryption equations are: 
F=me# 3 IWso/(iiTA., r^iD,)"* 

;■ ' w-rPf ; '; . r ' ■ • . ; •" '•" . ''•.'.■■}<.} . ; - ' 

15 and decryption becomes: 

m=V®H 3 n 1 < ilJs t(U i ,Sv) b ° ' ; • 

Similar modifications for handling S# will be apparent for the second., third and fourth 
embodiments described above. * 
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